W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: When triggering default-src, report type of violation

From: Mike West <mkwst@google.com>
Date: Tue, 15 Jan 2013 06:56:14 -0800
Message-ID: <CAKXHy=fLbrmVaqKMLiLK+XkBSgVZWMXm4j1NgoOhe-38C7SiuQ@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Makes sense to me.

What would you like to see in the violation report? Would something like
`"violation-type": "image"` or `"violation-type": "frame"` be sufficient?

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Mon, Jan 14, 2013 at 6:13 PM, Neil Matatall <neilm@twitter.com> wrote:

> When I receive a CSP report that was triggered by a default-src violation
> Then I would like to receive data indicating what type of violation
> occurred.
>
> When applying a policy, I copy default-src into any directive that doesn't
> have a value so when I receive the report, I know what type of violation
> occurred. With inline/eval, this isn't an issue because it's obviously
> script and script-src is usually defined anyhow :)
>
> Without this, I cannot tell whether it was a frame-src, font-src,
> connect-src, etc. violation because all I see is default-src in the
> violated directive field.
>
> Thoughts?
>
Received on Tuesday, 15 January 2013 14:57:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 January 2013 14:57:07 GMT